Risk Assessment Values
The core of the OSSTMM is risk assessment values (RAVs). Anyone can legally use these, though they're protected under the Open Methodology License. Technically speaking, RAVs don't actually assess risk, but rather collect the information needed to assess risk. They also don't weight results; they're purely metrics for discerning how many mitigated and unmitigated risks exist.
The goal of using RAVs is simple: producing factual numbers. Regardless of auditor or auditing firm, companies can use these numbers as a security baseline—results should be consistent and repeatable no matter who's created them—and then use them to measure improvement.
That's in sharp contrast to the risk-management status quo. "The problem with risk assessment now is that they just ask you a bunch of questions," says Herzog. As a result, answers aren't precise enough. By contrast, RAVs seek to quantify exactly what's needed. In other words, it's the difference between "knowing you need a large desk and knowing that you need one that measures 2.2 meters by 3 meters." With the item measured (quantified), someone can buy exactly what's needed.
The overall goal for the OSSTMM is to help companies decide what the right amount of security is. While many think of the OSSTMM as an information security audit test, it can audit any kind of security. For example, Herzog recently posed this hypothetical question to some military officers: "You have two guards at the door. Is a third going to be better or not?" Of course, the reply was that a third guard is better. "Why is spending the money and resources on the guard necessarily better," Herzog asks, without squaring it with an overall view of base security? "That's how the security industry is now: 'Oh, we need another firewall.' 'Oh, why?'"
Areas with high-value items need more security—in both the physical and information security world—and lower-value items need less. It's a classic risk-management strategy: Make it more expensive for an attacker to penetrate or steal systems than the value of what's stored therein.
Intent aside, when it comes to security testing methodologies, the OSSTMM doesn't just fill a gap. "There is nothing like it," claims Herzog. What does exist are proprietary security testing methodologies, but he decries those, since no one ever knows what comprises them. "After we released OSSTMM, we even had people criticizing it by saying, 'It's not as good as our secret methodology, but it's good.'" Of course, when it comes to improving everyone's information security practices, if everyone has a secret formula, how do you know which one is better?
As with all things information-security related, many OSSTMM users don't make themselves known, but Herzog counts U.S. government agencies and numerous companies among the user base. "In the first year of the OSSTMM, all we wanted to do was track who was using it," he says, "but since then, we have had too little time to track this [information] and it's left us a little in the dark on the identities of our users."
One often-requested OSSTMM feature is reporting, so non-security auditors can see what's happening on the security front. "They want reporting as much as they want security, and they'd be happy if there was a real-time security dashboard that would tell you exactly what the computer security people were up to," notes Herzog.
The OSSTMM has included a report template since version 2.1, but Herzog mentions problems with people passing off simple vulnerability scans as a complete OSSTMM report. To address that problem, the next version of the OSSTMM will include an audit report to be signed by the auditor. This questionnaire, approximately 10 pages in length, is similar to an ISO 9000 document, verifying that what the auditor did was correct, that he generated RAVs, and so on.